Bugs: Exploring Heartbleed, Shellshock, Ghost And Beyond

Bugs: Exploring Heartbleed, Shellshock, Ghost And Beyond

The term ‘bug’ has firmly entered our everyday lexicon. No doubt driven by the mainstream press coverage of the Millennium Bug and the more recent Heartbleed, Shellshock and Ghost. Indeed, I recently overheard an elderly couple on the tube discussing Ghost only hours after it was officially announced. Google’s Ngram Viewer is also a great tool for charting the frequency that a word appears in Google’s vast collection of scanned books (5 million+) going back 500 years. If we look at the last 75 years we can see how the term “computer bug” peaked around the turn of the millennium.

The etymology of bug is fascinating and largely attributed to one of the greats of the Computer Science world, Grace Murray Hopper, as she worked on Harvard’s famed Mark I/II computer. In1947, a physical malfunction in the Mark II computer was traced backto a moth stuck in one of the relays. Grace Hopper taped it to the operationslogbook with the note “First actual case of bug being found”.

That said, Thomas Edison was using it as far back as 1878,when he wrote to Theodore Puskas, “It has been just so in all my inventions. Thefirst step is an intuition—and comes with a burst, then difficultiesarise. This thing gives out and then that—‘Bugs’—as such little faults anddifficulties are called—show themselves.” You can read more here.

Back to Heartbleed, Shellshock and Ghost which are,technically, a ‘vulnerability’. While it and ‘bug’ are often used synonymously a vulnerability is defined as:

A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy. (IETF RFC 2828)

That flaw/weakness could be poor design or a specific bug that causes the system to produce an incorrect or unexpected result.

A key online resource in managing vulnerabilities is the National Vulnerability Database (NVD) a US government repository. The NVD categorises, summarises and ranks (based on the Common Vulnerability Scoring System, CVSS) vulnerabilities. It is therefore useful to look at the CVSS when considering these recent high profile bugs:

Heartbleed:

Shellshock:

Ghost:

And so, it can be seen that Shellshock and Ghost are by far the most serious of these bugs with a score of 10. Heartbleed, arguably more famous, comes in at 5 largely due to the ease in which it can be exploited but it’s overall impact was scored with a low 2.9.

To put these in context, there were 1,914 bugs in 2014 that had a score of between 7 and 10.

That represents 24% of all the 7,903 bugs recorded by the NVD in the 2014, it is also worth noting that 2014 was a record year for the total number of bugs (over the last 17 years).

At Options we take the security of our platform and that of our customers very seriously and we use the CVSS as one of the key factors in reviewing and prioritising bugs. This feeds into our five-step Threat Assessment and Management process (also referred to internally as REACT):

1. Review – We regularly monitor the NVD and other various websites for alerts on bugs.

2. Engage – We engage internal technical teams and vendors to review and triage bugs that may impact Options or our customers.

3. Assess – We assess the threat to our systems and our clients’ systems, considering its impact on our infrastructure with the following priority:

– Customer infrastructure that has exposure to external networks.

– Options infrastructure that has exposure to external networks and customers.

– Customer infrastructure on secure networks.

– All other Options infrastructure.

4. Communicate – Where there is a potential for impact we notify customers of the threat and keep them informed as we draw up a plan and to rectify the problem.

5. Tackle – A plan is drawn up to tackle the problem, rolling-out required patches and fixes as appropriate. This is communicated to the customer and a schedule for implementation is agreed.

Considering the above, it’s pretty clear that “bugs” are here to stay and we certainly expect to be talking about them a lot more in the future. But this is no bad thing – the industry in general continues to show real commitment to transparency in how we identify, inform and handle such bugs that ultimately affect all of our lives. Recently, Google threw it’s considerably sized hat into the ring with the launch of Project Zero – a team of security experts tasked with finding and exposing vulnerabilities in any software. We’ll certainly be keeping a close eye on their work.

If you’d like more information on these bugs or anything discussed here please do drop us an email atsupport@options-it.com.